Gambling Websites Paying Protection to Cyber Blackmailers

For online gambling websites, cyber-threats are often just a cost of doing business.

(Credit: Reuters)

Cyber-attacks, cyber-security and cyber-spying have a very public profile at the moment. Both the American and British governments are battling hacking attempts on businesses. At the same time, the Prism scandal rumbles on, with the NSA and GCHQ busy deflecting accusations that they monitor communications data of private citizens.

In reports from media outlets and statements from industry watchdogs, we often hear of the "growing concern" of cyber-attacks; the "growing threat." Following the Prism revelation especially, it feels like cyber experts are capable of anything, as if merely going on the internet makes you vulnerable to identity theft, data monitoring and robbery.

But in the world of online gambling, cyber-threats are not so glamorous. Far-removed from the arch menace of NSA agents or Chinese hackers, the people targeting betting websites are just a constant nuisance. Their modus operandi is to launch, or threaten to launch Distributed Denail of Service (DDoS) attacks, purposeful acts of sabotage where typically a huge amount of data floods a website's server, overloading it and taking it offline.

Though DDoS attacks are usually performed using a network of malware-infected PCs called a botnet - as IBTimes UK has investigated previously - it's not a case these days of individuals needing to set up the botnet themselves. You can now hire an organisation to perform a DDoS attack for you; in the case of online gambling sites, this means service outages are now an accepted cost of doing business.

Nuisance

"There won't be a crisis of internet crime," says Ashley Stephenson of web security firm Corero "it's just a nuisance. Like real-life, with credit card fraudsters or people who knock on old people's doors pretending to be electricians, we'll always have these bottom feeders, this background level of activity. It's part of having an online business."

Gambling sites are often targeted at peak times says Stephenson, either during or just before major sporting events. Attackers will first contact the site and threaten them with a DDoS attack. Rather than risk being pulled offline and losing business, gambling sites often accept these threats as just another overhead, and bow to attacker's demands, which are often paltry when compared to the cost of prolonged site downtime.

"We've seen cases of gaming companies receiving anonymous threats saying that if they don't contribute to some untraceable digital money bank, like BitCoin, that they will be disrupted," says Stephenson. "Betting sites are highly dependent on peak times during sporting events, peak times during things like boxing matches. These are their most critical times, when people are betting on dynamic odds in unison with a live stream.

"If a gambling service goes offline during the Grand National, people will click to their next favourite gambling service. So the cost today is in downtime. It's like forcing a high street shop to be closed for a day."

Standard fit

Stephenson also says there's no standard fit for perpetrators of these attacks; they can be orchestrated by individuals buying a DDoS attack for hire or large organisations with their very own botnets:

"We've seen instances of disgruntled individuals, or small groups that are milking sites for money, but also instances where it's been more organised."

The motivations behind a DDoS attack, or threatening to launch a DDoS attack also vary:

"We saw one example where a gaming company was changing the rules of their game, and the result of that rule change would make it harder for third-parties to make money off the game. Those parties were annoyed with that so launched DDos style attacks on the company to try and reverse those rule changes in the game.

"You also get examples," Stephenson continues "of people making large bets on say interactive poker, and then purposefully crashing the site if it looks like they're going to lose. In the physical word it's like getting up and tipping the table over."

Expected

Corero estimates than on average, a DDoS attack will cost a gambling site £150,000 in lost business. Stephenson says there are three ways to deal with it:

"You can consider these things a nuisance and just pay the demands and move on; tolerate the attack and just take a hit; or dig in, and invest in making your security more robust."

Especially when compared to the potential risk, the cost of DDoS protection comes cheap: Cloudflare, in the US, offers DDoS protection for $200 (£130) a month. It's the equivalent, Stephenson says, of fitting your house with locks or your car with an alarm. Contrary to the big bad NSA stories currently doing the rounds, cyber-threats in the online gaming world are a constant pest. The risk is certainly real, but in terms of escalating, or threating to overturn the industry, DDoS attacks aren't the real deal. Instead, Stephenson concludes, they're comparable to real-world petty crimes:

"I wouldn't say it's routine yet, but it's expected. It's the cost of doing business on the internet."